Popular VPN site cloned to spread malware

A sneaky way of installing a banking trojan

In brief: Hackers are always using inventive ways to implant malware on people’s computers, including the cloning of a popular VPN website to spread a banking trojan.

Researchers at Doctor Web’s virus lab discovered that criminals created a website that was a copy of the one belonging to virtual private network service NordVPN. This nord-vpn[.]club website, which is currently inaccessible, was almost identical to the official nordvpn.com site.

To make this cloned website appear more legitimate and help it pass browser security checks, it had a valid SSL certificate that was issued by open certificate authority Let’s Encrypt.

The fake website

Visitors to the fake website were prompted to download NordVPN's client. The real program was installed to avoid suspicion, but the the Win32.Bolik.2 banking Trojan was downloaded alongside it, infecting a user’s system.

“The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems,” the Doctor Web report explains.

Earlier this year, the hacking group behind this campaign compromised the website of free video editor VSDC to distribute the same banking trojan.

NordVPN's Head of Public Relations, Laura Tyrell, gave the following statement to Bleeping Computer.

Online scammers love to pretend to be trusted companies when trying to fool their victims. Because NordVPN is such a widely trusted online security company, scammers pretend to be us as well. They do this to steal users’ money or infect their PCs with malware.

Always double-check information if you have even the slightest suspicion. Also, never give out personal information that has no relation to our services or transfer your money via wiring service. If you have any doubt, always contact NordVPN through one of our official channels.

What NordVPN won’t do:

NordVPN only sells accounts on its official website. We only sell legitimate NordVPN accounts on our official website: https://nordvpn.com/. NordVPN can also be found in certain retailers' stores, the list is provided on the NordVPN’s website: https://nordvpn.com/retail/.

NordVPN won't send you to the wrong website. Scammers use websites that look like NordVPN’s to scam internet users. The core part of NordVPN’s webpage URL will always be https://nordvpn.com/. The only exception to this rule will be for users buying NordVPN in high surveillance countries that block our core website. If you're not sure whether the website you're seeing is a legitimate NordVPN website, contact our support team.

NordVPN representatives will never ask for your password. If someone posing as a NordVPN representative tries to find out your password, they are scammers. Also, be aware of fake password change emails. You should never disclose your password to anyone.

NordVPN won't use sketchy email addresses. NordVPN official email ends with @nordvpn.com and sometimes @nordvpnmedia.com or @nordvpnbusiness.com. We do not send emails from addresses like nordvpn@gmail.com or nordvpn@nord.com. However, hackers can easily fake a legitimate email address. To avoid gettings fooled, always check whether the link in an email redirects to a legitimate NordVPN website with a URL starting with https://nordvpn.com/.

NordVPN does not make phone calls. NordVPN’s official means of communication are email, the support chat on our website, our official Twitter (@NordVPN), or our official Facebook page: https://www.facebook.com/NordVPN/. Do not trust connections outside of these communication tools.